English(EN) "… developers who used AI agents to work with them should assume their systems are compromised… Compromised dev creds led to a legitimate GitHub OIDC token bein

AI 代理与 GitHub OIDC 令牌泄露和恶意软件分发相关联

作者 PulseAugur 编辑部 · [1 个来源] · 2026-06-12 03:57

发现了一个安全漏洞，其中 AI 代理在被开发人员使用时可能导致系统泄露。攻击者利用被泄露的开发人员凭证获取了一个合法的 GitHub OIDC 令牌。这使得他们能够发布一个具有有效 SLSA 来源的恶意构建，该构建随后被常规扫描器识别为受信任的更新，从而使攻击者能够充当已认证的发布者。 AI

影响被泄露的 AI 代理可能被利用来分发恶意软件，这需要为 AI 辅助工具的开发人员和用户加强安全协议。

排序理由文章描述了一个与使用 AI 代理和利用开发人员工具相关的安全漏洞，而不是一个新的 AI 模型发布或核心 AI 研究。

在 Mastodon — fosstodon.org 阅读 →

AI 生成摘要 · Google Gemini · 来自 1 个来源。我们如何撰写摘要 →

报道来源 [1]

Mastodon — fosstodon.org TIER_1 English(EN) · [email protected] · 2026-06-12 03:57

"… developers who used AI agents to work with them should assume their systems are compromised… Compromised dev creds led to a legitimate GitHub OIDC token bein

"… developers who used AI agents to work with them should assume their systems are compromised… Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to …

链接 arstechnica.com/…/for-the-2nd-time-in-wee… 404media.co/microsoft-hacked-to-deliver-m… arstechnica.com/…/2026

报道来源 [1]

"… developers who used AI agents to work with them should assume their systems are compromised… Compromised dev creds led to a legitimate GitHub OIDC token bein

相关实体

相关话题